I know you have been battling this for a while. When you get hacked firefox/chrome will warn you that google has detected your site has been compromised, google will also tell you the virus that is responsible and there should information on how its spreading.
– rookApr 20 '10 at 22:15

9 Answers
9

You can't install a true IDS on shared hosting, this is the host's responsibility.

An hack-ish solution:

You could create a script that ran periodically (using cron or some other mechanism), that would checksum all files, and compare the checksums with a previously stored record, then notify you if there are differences.

To find out if your script itself was deleted by the attack (1), you must also create a script sitting on a remote server (something like Google App Engine, perhaps), that pings your shared-server-script, and checks if it gets an expected result (a hash based on given time, perhaps) – if not, it emails you.

The best free and open source Intrusion Prevention System (IPS) for web application (as in a Web Application Firewall WAF) is Mod_Security. But no system will stop it all. Espically with Wordpress because it won a pwnie award for being so insecure. I would think seriously about ditching Wodrpess for any other blog engine.

Another option which is best suited if you are in a shared hosting enviroment is to use PHP-IDS. The name is a bit deceptive, its actually a regular expression based IPS. All of the regular expressions used by PHP-IDS have been ported to Mod_Security. Mod_Security provides a much better level of protection(ips) and logging(ids).

WordPress can be safe and secure. WordPress.com serves as an example of a site that's certainly large enough to be a target and yet does fine. Being careful about which plugins you install, and patching when patches are available, gets you 99% there.
– ceejayozApr 20 '10 at 20:54

@ceejayoz the only thing to make wordpress secure would be a complete rewrite. I have reported vulnerabilities in their software and the "wordpress hackers" group responsible for wordpress security was unable to grasp even simple concepts of security. Wodpress is without a doubt the most insecure PHP project ever written and will continue to be very insecure due to architectural flaws.
– rookApr 20 '10 at 21:01

3

How do WordPress.com and a wide variety of heavily trafficked self-hosted WordPress blogs survive without regular hacking incidents, then? If WordPress is so insecure, why are hackers passing on the opportunity to inject their spam and malware in the WordPress installs serving billions of pageviews?
– ceejayozApr 20 '10 at 21:04

Aaaand a final note: the WP-Hackers group has nothing to do with WP security, it's for folks interested in extending WP via plugins or core updates. security@wordpress.org is the contact for security issues.
– ceejayozApr 20 '10 at 21:14

Rook: I think it is probably because WordPress security flaws get patched quickly once discovered. This do mean that anyone running an install must watch for new releases and install them as quickly as they can.

You could version the site with subversion/git/etc - doing a simple 'svn status' or 'git status' would allow you to tell if the source files had changed - however it obviously won't catch any modifications someone may have made to the database content, and it'll get a little messy when someone updates plugins (or wordpress itself) - as so much will have changed.